Presentation Material
Abstract
The presentation begins with an introduction to phishing, its impact across various industries, and the scale of the threat it poses. We then deep dive into phishing attack types, explaining the entire attack lifecycle, including the security controls industries use to prevent phishing and how these defenses work. Next, we discuss the custom phishing infrastructure we built using open-source tools like GoPhish and Evilginx. We demonstrate how to execute a full-fledged phishing attack, including setting up phishlets and lures that support MFA bypass, and how attackers leverage stolen tokens and credentials. We also cover the step-by-step setup of each attack phase, detailing the exact requests that need to be captured for a successful phishing campaign. A visual breakdown of the attack infrastructure follows, explaining each component and its role in the phishing operation. We then discuss various techniques attackers use to bypass modern security filters, ensuring phishing emails land directly in the victim’s inbox. After explaining the attack workflow and bypass techniques, we perform a live attack demonstration, showcasing how phishing leads to credential and token theft, ultimately allowing unauthorized access. After the offensive demonstration, we transition to the defensive perspective, introducing our newly developed phishing detection mechanism powered by fine-tuned LLM models that provide sentiment and behavioral analysis for more effective phishing detection. Finally, we showcase how this AI-driven detection system works, its components, and how it effectively identifies and prevents phishing attacks in real time. CONFidence 2025, 2 June 2025, Kraków.
AI Generated Summary
The talk addresses the persistent threat of phishing attacks, particularly within corporate and emerging web3 environments, and examines both attacker methodologies and defensive shortcomings. It details how traditional email authentication (SPF, DKIM, DMARC) and content filtering are frequently bypassed through techniques like domain aging, domain farming via cloud redirects, and the use of reputable but abandoned domains. A significant focus is on evading multi-factor authentication (MFA), demonstrated through a red team case where an SSO portal misconfiguration allowed MFA bypass via a guest network, granting broad internal access.
The presentation reviews common phishing tools (GoPhish, Evilginx) and their detectable indicators, then describes systematic modifications to these tools—altering default headers, user-agent strings, and email signatures—to avoid security product detection. A core contribution is the development of a custom, locally-deployable large language model (LLM) for behavioral email analysis. This model evaluates multiple signals: sender history, domain reputation and age, geolocation mismatches, homoglyph detection in URLs, and contextual sentiment. Integrated as a browser plugin or API for platforms like Office 365, it provides real-time user alerts before link interaction, reporting a 98% success rate in preventing clicks during deployment.
The practical implication is that purely technical, rule-based defenses are insufficient against adaptive, psychologically targeted attacks. The speakers advocate for a layered defense strategy where behavioral AI analysis supplements existing gateways, focusing on anomaly detection in communication patterns and link characteristics to mitigate the inherent vulnerability of human users. The model’s design allows for on-premise operation to address data privacy concerns.